PoshC2

PoshC2 is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while the implants are written in PowerShell. Although PoshC2 is primarily focused on Windows implantation, it does contain a basic Python dropper for Linux/macOS.[1]

ID: S0378
Type: TOOL
Platforms: Windows, Linux, macOS
Version: 1.1

Techniques Used

Domain ID Name Use
Enterprise T1134 Access Token Manipulation

PoshC2 contains a number of modules, such as Invoke-RunAs and Invoke-TokenManipulation, for manipulating tokens.[1]

Enterprise T1087 Account Discovery

PoshC2 can enumerate local and domain user account information.[1]

Enterprise T1119 Automated Collection

PoshC2 contains a module for recursively parsing through files and directories to gather valid credit card numbers.[1]

Enterprise T1110 Brute Force

PoshC2 has modules for brute forcing local administrator and AD user accounts.[1]

Enterprise T1088 Bypass User Account Control

PoshC2 can utilize multiple methods to bypass UAC.[1]

Enterprise T1090 Connection Proxy

PoshC2 contains modules that allow for use of proxies in command and control.[1]

Enterprise T1003 Credential Dumping

PoshC2 contains an implementation of Mimikatz to gather credentials from memory.[1]

Enterprise T1081 Credentials in Files

PoshC2 contains modules for searching for passwords in local and remote files.[1]

Enterprise T1002 Data Compressed

PoshC2 contains a module for compressing data using ZIP.[1]

Enterprise T1482 Domain Trust Discovery

PoshC2 has modules for enumerating domain trusts.[1]

Enterprise T1068 Exploitation for Privilege Escalation

PoshC2 contains modules for local privilege escalation exploits such as CVE-2016-9192 and CVE-2016-0099.[1]

Enterprise T1210 Exploitation of Remote Services

PoshC2 contains a module for exploiting SMB via EternalBlue.[1]

Enterprise T1083 File and Directory Discovery

PoshC2 can enumerate files on the local file system and includes a module for enumerating recently accessed files.[1]

Enterprise T1056 Input Capture

PoshC2 has modules for keystroke logging and capturing credentials from spoofed Outlook authentication messages.[1]

Enterprise T1171 LLMNR/NBT-NS Poisoning and Relay

PoshC2 can use Inveigh to conduct name service poisoning for credential theft and associated relay attacks.[1]

Enterprise T1046 Network Service Scanning

PoshC2 can perform port scans from an infected host.[1]

Enterprise T1040 Network Sniffing

PoshC2 contains a module for taking packet captures on compromised hosts.[1]

Enterprise T1075 Pass the Hash

PoshC2 has a number of modules that leverage pass the hash for lateral movement.[1]

Enterprise T1201 Password Policy Discovery

PoshC2 can use Get-PassPol to enumerate the domain password policy.[1]

Enterprise T1069 Permission Groups Discovery

PoshC2 contains modules, such as Get-LocAdm for enumerating permission groups.[1]

Enterprise T1055 Process Injection

PoshC2 contains multiple modules for injecting into processes, such as Invoke-PSInject.[1]

Enterprise T1035 Service Execution

PoshC2 contains an implementation of PsExec for remote execution.[1]

Enterprise T1071 Standard Application Layer Protocol

PoshC2 can use protocols like HTTP/HTTPS for command and control traffic.[1]

Enterprise T1082 System Information Discovery

PoshC2 contains modules, such as Get-ComputerInfo, for enumerating common system information.[1]

Enterprise T1016 System Network Configuration Discovery

PoshC2 can enumerate network adapter information.[1]

Enterprise T1049 System Network Connections Discovery

PoshC2 contains an implementation of netstat to enumerate TCP and UDP connections.[1]

Enterprise T1007 System Service Discovery

PoshC2 can enumerate service and service permission information.[1]

Enterprise T1047 Windows Management Instrumentation

PoshC2 has a number of modules that use WMI to execute tasks.[1]

Enterprise T1084 Windows Management Instrumentation Event Subscription

PoshC2 has the ability to persist on a system using WMI events.[1]

Groups That Use This Software

ID Name References
G0064 APT33 [2] [3]

References